Skip to main content

LPLC has produced a guide full of practical information to help lawyers be cybersafe. The guide outlines 5 key areas of focus and explains why each is important to be included in cybersafe strategies for law practices. For each key area the guide provides a checklist of practical steps to take to secure any legal practice.

Cyber Security Guide for Lawyers April 2024.PDF

(PDF, 742.41 KB)
Download Cyber Security Guide for Lawyers April 2024.PDF

Law firms of all sizes, including sole practitioners, are targeted every day by cyber criminals from all over the world. Most law firms transact large amounts of money and hold confidential information that criminals can sell or use to extort a ransom payment.

Failure to protect your business and your clients’ money and information could be costly both financially and to your firm’s reputation.

Basic information for everyone

Every staff member in a law firm is responsible for keeping the firm safe from cyber-attack. There are many things that everyone can do, and this guide addresses the five basic areas to focus on to help lock the door on cyber-crime. It is important that everyone in a firm understands what the risks are and what part they must play in keeping the firm safe.

The Australian Cyber Security Centre website is a good place for everyone to start to review basic information about protecting your business online. Register for the Australian Cyber Security Centre's Alert Service to receive updates on scams, risks and preventative action to protect your firm and your clients.

It is everyone's business

Cyber security is not just an IT issue. It is an essential part of today’s legal practice and everyone in your firm has a critical role in preventing cyber-crime. There is no silver bullet to protect your firm and your client’s money. The concept of cyber security must be built into everything people do in a law firm.

The approach to cyber security needs to be multi-pronged. This guide sets out five key areas to address, underlines why they are important, what can be done and how to do it. Included in this guide are links to valuable resources and information.


Security software

Install reputable security software on all computers, including for remote access, with at least daily updates to the signature database and a daily full scan of files.

Business grade email

Use a business grade hosted email service, rather than using a free web-based email account as the security offered is much higher.

Custom domain set up

Use a custom domain name for your email rather than a free or generic email account like Gmail or Hotmail. This makes it harder for cyber criminals to impersonate your email address and provides better security and spam filters.

Software updates

Register for alerts to all software updates and promptly install them.

Multi-factor authentication

Implement multi-factor authentication for all devices and cloud-based systems. If using Office 365 ensure you turn on two factor authentication.

Web filtering

Use Domain Name Server (DNS) web-based filtering service to block high-risk websites.

Backup files

Backup files automatically, at least daily.

User security

Ensure users return office devices, and can no longer access office systems, once their employment ceases

Strong passwords

Have a documented policy and process for:

  • creation of strong passwords changed regularly
  • restricted use of removeable media like USB sticks, DVDs, CDs, memory cards

Secure Your Technology checklist.JPG

(JPG, 1.50 MB)
Download Secure Your Technology checklist.JPG

Electronic funds transfers

Electronic funds transfers of money, including trust money, and email payment instructions

Security measures

Regularly review these as security measures are continually changing as cyber threats evolve.

Client information

System access

Staff training

Establish Policies Procedures Checklist.JPG

(JPG, 1.13 MB)
Download Establish Policies Procedures Checklist.JPG

Create a secure email culture

Require everyone to:

  • always verify emailed payment details before transferring funds in accordance with office policy
  • never open unknown or suspicious attachments or links
  • regularly audit staff email settings, particularly their email rules to ensure their emails are not being redirected by cyber criminals
  • not use public wi-fi for work purposes
  • be alert to anything unusual or suspicious and check it appropriately
  • adhere to the firms policies and procedures about cyber security
  • have an email retention/deletion policy

READ

National Archives Australia website on managing email

Australian Law Reform Commission on data security and information destruction and retention requirements

Australian Government Business website on record keeping

Up-to-date staff training

Provide regular and up-to-date training to all existing staff and new joiners, including students, interns, and temporary staff about:

  • cyber risk and their role in minimising it
  • the firm's relevant policies and incident response plan
  • who to contact if a suspected incident has occured - 'see something, say something'

Appoint a responsible staff member

Appoint a staff member to be responsible for ensuring:

  • the steps outlined in this guide are implemented
  • cyber security news, updates and recent issues are regularly communicated and easily available as a reference

Centralised information

Have a centralised place for storing cyber risk information, including the firm's cyber action plans, policy and up-to-date points of contact which can be accessed by all staff.

Create A Culture of Cyber Risk Awareness Checklist.JPG

(JPG, 1.23 MB)
Download Create A Culture of Cyber Risk Awareness Checklist.JPG

Explain risks to clients

Explain the risks of fraudulent emails to clients in your face-to-face meeting.

Confirm risks

Confirm the risks of fraudulent emails to clients in writing.

Verify email requests

As part of your retainer, tell clients, and confirm it in writing, that you require them to verify any email requests by your firm for payment before transferring money.

Include a warning message

Add a warning to your email footer about the risks of relying on payment details in email.

Warn Clients About Cyber Risks Checklist.JPG

(JPG, 766.26 KB)
Download Warn Clients About Cyber Risks Checklist.JPG

Document a plan

Document what to do if a cyber incident occurs.

Document procedures to help clients

Document what to do if your client pays money to the wrong account.

Your plan should include:

Test plans and procedures

Test that everyone is clear about what they are required to do if something goes wrong

Have An Incident Response Plan Checklist.JPG

(JPG, 1.15 MB)
Download Have An Incident Response Plan Checklist.JPG

Cyber Security Guide for Lawyers April 2024.PDF

(PDF, 742.41 KB)
Download Cyber Security Guide for Lawyers April 2024.PDF
TOP